Does pulldown menu have risk of MySQL injection

Question

I want my websites allow users to use pulldown menu to filter through a list of data provided by MySQL. The choices from the pulldown menu is used in the following way:

$pulldown_choice = _GET['pulldown_choice'];
..... #other codes here
$sql = "SELECT * FROM tablename WHERE item LIKE '%$pulldown_choice%';

My question is: do I need to worry about database injection from the pre-defined, pulldown list choices? Thanks!

You're best off using parameters for anything which you might want to concatenate into your SQL. So, basically, be safe and use parameterized queries, always. — Bob Jarvis - Слава Україні, Jul 19 '15 at 02:08
Obviously someone could pass in `*` and spoof your query. So yes, you need to worry about injection here. — Tim Biegeleisen, Jul 19 '15 at 02:19
@Tim Biegeleisen, I don't exactly understand how a "*" could be passed in from a pulldown menu with preset choices? Can you give an example? — LearnAWK, Jul 19 '15 at 02:32
How about an app that spoofs as your app and sends whatever it wants as parameters in an http get — Drew, Jul 19 '15 at 02:35
You don't even need an app. You could send a get from the JavaScript console. Or you could use SOAP UI if feeling a bit more diabolical. — Tim Biegeleisen, Jul 19 '15 at 02:59

score 1 · Answer 1 · answered Jul 19 '15 at 02:36

1

Someone might tinker around with the request and manually invoke the URL with ...?pulldown_choice=WHATEVER_YOU_WANT (e.g. *).

I probably would only pass an index and have the options on your server side fixed.

answered Jul 19 '15 at 02:36

user2084865

625
1
7
18

I do this all the time. It is far from uncommon but the average programmer never thinks about it imo – Drew Jul 19 '15 at 02:39
Your comments are eye openers for me. I will definitely read more about this topic. – LearnAWK Jul 19 '15 at 03:58

Does pulldown menu have risk of MySQL injection

1 Answers1